ClassCreator.com | Blockbuster sites, amazing reunions

Share Tips

New Topic Subscription Options  

Site "Not Secure"

Forums: General Discussion
Created on: 10/01/19 02:42 PM Views: 1160 Replies: 47
Tuesday, October 1, 2019 at 2:42 PM

Website security certificates. When I get to my two sites (CHSAA or Crestwoodstock sites), if you look up in the URL area, it says “not secure” before the URL location. If people see that “not secure” is part of the URL, that may wave them away from the site.

I have read, that a security certificate is When you go to a site that uses HTTPS (connection security), the website's server uses a certificate to prove the website's identity to browsers, like Chrome.

------------------------------------------------------
How do I make my class creator sites secure for transactions and is there a cost to install a security certificate?

Reply
Tuesday, October 1, 2019 at 7:40 PM - Response #1

Google has updated their browser (and subsequently, major browsers have followed), to alert users whenever they are on any page of any site that is not secured by a security certificate. Your site is currently secured on all pages that were previously necessary such as cart check out pages of the Event Planner as well as your Login pages. Rest assured that your site is safe and secure. However, we are still looking into a solution for admins to acquire a security certificate for their sites so that all pages reflect a secure status. We are working with our team to solve the logistics of this task. We will inform all of our administrators as soon as we have a solution that will work for our unique site scenario.


Reply
Saturday, October 12, 2019 at 6:22 PM - Response #2

I too have the same concern about security. Two Items
1. When I go to our main page AND AM LOGGED IN, it shows "Not Secure" on Chrome unlike what your prior answer indicated. Am I reading this wrong, or doing something incorrectly.
2. Should I be using FF instead of Chrome? Tried FF and it also says not secure while I am logged in.
3. Also, this may be affecting it. I'm trying to use password saver software...it's driving me crazy as I often use the same PW on different sites (I know it's not a good idea). I've tried DashLane and just deleted it..driving me crazy, now trying Sticky Password.

4. Not your problem most likely, but while I use Malwarebytes 24/7 I just got two ransomeware letters - ( i know these are emails, not direct/locking attacks and they are badly written gross, untrue, and several weeks old, found in my junk mail...and have NOT responded...but security is getting a bit higher priority in my life now. Please advise. Thanks

Reply
Friday, November 15, 2019 at 4:49 PM - Response #3

Thanks, Scott...

Everybody is becoming more aware of security holes these days and that 'Not Secure' heading on the URL is spooking more than a few of our classmates.

Telling them to 'ignore it' because our site is actually very safe sounds a lot like 'whistling in the dark'

Be looking forward to a solution.

Reply
Friday, November 15, 2019 at 5:20 PM - Response #4

Forgot to mention, when I told (per your comment) one of our classmates that the pages where any secure information is required...such as the Log In page, "you will see that there is a secure icon (padlock, etc.)." He went away, grumbling...

So then he called me back 10 minutes later and said the 'Edit Profiles' page (where he loads pictures) was not secure. He's evidently right as I see no security icon.

The 'Edit Contact Info' page is secure, but because we're uploading pictures into the server (I presume) on the 'Edit Profile' page, does that then become a possible entry point for bad guys?

Reply
Friday, November 15, 2019 at 10:08 PM - Response #5

I'm not a security expert, but these are my thoughts:

There is a level of security built in to the Edit Profile page, in that a classmate must be logged in before he/she can view or edit that page. So, the Edit Profile page can only "become a possible entry point for bad guys," if the bad guys are logged in.

All the pages in the Member Functions section (Notify Me, Edit Contact Info, Edit Profile, Change Password, Log out) are viewable for editing only after one is logged in.

Reply
Edited 11/15/19 10:13 PM
Friday, November 15, 2019 at 10:31 PM - Response #6

I may be incorrect here, but pretty sure this will work to solve the "not secure" concern. In some ways it is similar to how the login, payment link name changes to https.

So here's my concept that is an easy way to do this (get sites secure with https), but it requires some changes by CC and a new Option for users (admins of a site, not classmates) since they "might" have to make a few changes. [I do here and there, but it's not too hard.]

Our sites with a domain name get directed to the actual name used by CC.

For example
http://www.bothellhigh61.com
is actually
https://www.classcreator.com/Bothell-WA-Bothell-Senior-1961/

So if you click either link, you end up at exactly the same place. The Difference is that the first is "not secure" and the second one IS secure.

Now if you click any of the left hand links CC has generated bothellhigh61.com links but that doesn't have to be that way at all.

To illustrate see this example of links Bothell Weather [Note: I just modified this page to show how it works if CC did this by making the page itself convert to the Secure version of the page. It's not an important page in case there's something I forgot - that a browser setting might complain about]

Clicking from either page link generates
http://www.bothellhigh61.com/Bothell-Weather.htm .. modified so it automatically goes to the next link
but actually this next link is exactly the same thing
https://www.classcreator.com/Bothell-WA-Bothell-Senior-1961/Bothell-Weather.htm

Now there is one problem and the home pages shows that. The https change affects the way default links are done by your browser and catches where you mixed secure and not secure references.

I hardcoded an iframe reference (in a script) using bothellhigh61.com and that violates "mixed content rule" for https - a security violation. Hence the scrolling classmate script does not run and is just a gray rectangle. On the bothellhigh61.com link it shows. This is very easy for me to fix. I just left it to show what happens. Similar issues occur for scripts.

So that's why it has to be an "option" to use the https name vs your domain name.

However, it solves the "not secure" issue described.

If you click some of the inner links, like Reunion Committee you can see that it stays "secure".

Should be very easy to CC to implement since if you stop paying for a site, that's actually what happens anyway Cool

[I forgot to post this some time ago and this post reminded me.]

Reply
Edited 11/17/19 2:34 PM
Saturday, November 16, 2019 at 12:04 PM - Response #7

Both Scott and Jack's posts are very helpful.

Scott you're right, and the 'black hats' have to get past the Log In to theoretically do very much. Perhaps not much of a hurdle, but it's there.

The crux of the problem is that (often RED) 'Not secure' notice that Google now puts in front of the URL. Heck it even makes me a little uneasy. My classmates with very little understanding of security tend to freak out.

I'm afraid explaining the nuance of your analysis, Scott, will not be enough...

Jack's points are impressive, your skills are way above mine Jack, in even figuring all this out.

But that's a problem as well, most of my classmates at 73 years of age are way past a somewhat technical solution that they would have to implement. They'd just stop coming to the site.

There must be a better way to keep our sites user friendly and secure; and without Google's non helpful 'Not secure' (in RED) notice.

But Class Creator is going to have to figure that out before we begin losing large amounts of classmates from all of our sites.

Reply
Saturday, November 16, 2019 at 1:38 PM - Response #8

This change will be completely transparent to Classmates - just the secure lock will appear vs not secure. I'm assuming that Classmates means the members of a class. They just click on exactly the same link they did before. No action required by them. CC does all the changes in the "background" so to speak. [Just like CC does now for Login, Payment, Editing, Manage Classmates etc. In fact, that is so transparent I bet many admins never noticed - those are the "users" I referred to not classmates]

The only thing CC does is 1) switch the "landing" page to the https version AND 2) change all the link names to the https version. They could do the second step and probably leave the first page alone. However, then the first page would still show not secure.

Most sites will be surprisingly adaptable. The reason is that when you use the Editor and Preview a Page, that is already what happens - it switches to your actual CC website address. Have not seen any complaints that a preview did not show correctly. Not a guarantee, but also tends to make me think it won't be a big problem.

To see this, select Edit Site Pages. Now pick a page and Click Preview. Notice that the upper link in browser is now Secure. Exact same page.

IOW, if you can see your pages in Preview, your site is good to go.

Mine has some very custom code. Most sites just use the default tools. The main thing that some sites need to "fix" is that they might have hardcoded links to their pages inside of other pages. They need to fix those links since they would still "work" but revert to the not secure version.

However, that is why it would be an Option in preferences. If somehow there was an issue, revert back if one did not understand how to fix. They could always ask here how to fix though. Almost all can be fixed if the referenced resource has an https version.

Reply
Edited 11/16/19 1:51 PM
Saturday, November 16, 2019 at 1:56 PM - Response #9

I forgot to mention that Step 2 code is already there in CC. It's what you get when you get a "free" site (or revert back to one). So the only change is actually Step 1.

Sites that Pay code would have the Option code added in Preferences (or?) and code to check option of course Very Happy

Reply
Sunday, November 17, 2019 at 8:28 PM - Response #10

Made a script so anyone can easily make any page "secured" but image links might need to be modified depending on how you did them. If CC changes, it will still work since it checks site http status.

EDIT: removed content because cookie gets removed so it did not work as intended. I was logged into https in one tab and testing in another tab using our actual Domain name. So I had two cookies active that made it all work.

Funny thing is that if you do NOT have a domain name it all works great. See THIS PAGE for how that works. That is a 100% secure ClassCreator site using https.

Reply
Edited 02/13/20 9:10 PM
Monday, December 23, 2019 at 10:39 AM - Response #11

Scott
any update on a solution for security certificates?

Thanks - Patrick

Reply
Thursday, February 13, 2020 at 7:08 PM - Response #12

Also to Scott: Here's "second" to the question about "any update on a solution for security certificates?"

Cheers, Allen.

Reply
Friday, February 14, 2020 at 11:24 AM - Response #13

“To see this, select Edit Site Pages. Now pick a page and Click Preview. Notice that the upper link in browser is now Secure. Exact same page.

IOW, if you can see your pages in Preview, your site is good to go.”

Jack, in Preview, everything on our website is Secure in Preview, Does this mean our site is Secure? Or does this mean CC should have an easy fix?
Thank you, Jack, for taking time to educate us!

Reply
Edited 02/14/20 11:28 AM
Friday, February 14, 2020 at 1:13 PM - Response #14

Thanks. I also got educated in reviewing the details. Especially with the script that worked perfectly, except that I did not realize I had two cookies (one for the Domain and one for classcreator https) active. With the newer restrictions coming, this issue is becoming urgent vs just something that will not affect our sites.

CC should have a relatively "easy fix". Right now when you use your Domain name to login, CC changes to the secure CC URL and then after you finish, it changes back to your Domain name. Which of course is not secure.

Sites that do NOT have a domain name get the default raw CC URL which is easily made https, even without CC doing anything, by the little script I wrote. If I started today, I would never get a Domain name Wink There are other ways but involved shelling out a few $$$ with another ISP.

The edit "Preview" is just to show that all your pages show as "secure".

What is interesting is that most pages that are not content related are now https. So that was a step towards security. They did forget a few Smile The login one being the most serious forgotten one.

Reply
Friday, February 14, 2020 at 4:00 PM - Response #15

“With the newer restrictions coming, this issue is becoming urgent vs just something that will not affect our sites.”

CC- Because this is urgent, CC plesse advise your solution to make my class website Secure. As an administrator, my clsssmates depend on me to provide them with an easy to access website.
Is anyone from tech support reading these comments?

Reply
Edited 02/14/20 4:04 PM
Saturday, March 7, 2020 at 8:20 AM - Response #16

This has become a big issue for me with classmates. When can we expect it to be resolved. I worked so hard to get classmates to use our site. I don't want to lose them now. I think it would be reasonable to expect a response from CC as to the target date for fix. Thanks.

Reply
Saturday, March 7, 2020 at 8:54 AM - Response #17

“The changes will take effect on March 31, 2020, and they won’t impact the way you use Google services.”

Unfortunately. there are two threads discussing the same topic.

I agree with Camille.
The google deadline to be security compliant is March 31. 2020 — that’s in 24 days. Jessica stated “We will be sending out a notice regarding the beta soon.”
My questions are: will CC install and what’s the date?
Thank you.

Reply
Edited 03/07/20 12:26 PM
Monday, March 9, 2020 at 6:41 PM - Response #18

Website security has been discussed on this Forum approaching 7 months, since October 1, 2019. Public Health is my area of expertise. In addition to providing my classmates with a website to communicate with one another, having the ability to share knowledge of critical health information with my classmates regarding this dreadful coronavirus in our Tri State locale is essential. This pandemic will continue to get worse not better.
On behalf of my classmates, I implore Class Creator to make the security fix now in advance of March 31, 2020.

Reply
Edited 03/09/20 11:47 PM
Tuesday, March 10, 2020 at 8:06 PM - Response #19

CC if you are monitoring. Silence is unnerving.

Reply
Friday, March 13, 2020 at 12:32 PM - Response #20

Class Creator, in a few hours the President will declare a national emergency. Our isolation could last two to six months.
Hope tech support is healthy.
Meanwhile, March 31, 2020 is the google security deadline. During these challenging times and to keep our website easy to locate and easy to monitor is there a date we can expect the security fix? Thank you

NOTE:Should there be no response, can our tech savvy administrators shed light on what will happen if our websites are not secure by March 31, 2020. Appreciation in advance.

Reply
Edited 03/13/20 1:06 PM
Friday, March 13, 2020 at 1:23 PM - Response #21

I just signed on to my site and did NOT see the "not secure" designation. Does that mean it is fixed?

Reply
Friday, March 13, 2020 at 1:32 PM - Response #22

Our website still shows insecure

Reply
Friday, March 13, 2020 at 1:33 PM - Response #23

No change. Could be Safari doesn't show that yet?

Reply
Friday, March 13, 2020 at 1:35 PM - Response #24

OK Thanks.

Reply
Sunday, March 15, 2020 at 8:23 PM - Response #25

Something appears to have changed. The logon page is now showing as "Not Secure" in Chrome. Haven't tried with any other browser.

Reply
Sunday, March 15, 2020 at 9:04 PM - Response #26

Been that way for some time. You must not have updated browser lately..

Reply
Sunday, March 15, 2020 at 9:30 PM - Response #27

Are you talking about the "head" login option? That's a BUG by CC and has also been reported starting in Nov 2019 here

Reply
Sunday, March 15, 2020 at 9:49 PM - Response #28
Not Secure and Secure.jpg

Jack Vermeulen wrote:

Are you talking about the "head" login option? That's a BUG by CC and has also been reported starting in Nov 2019 here

No, I'm not. And the unusual thing is that other CC sites I access that do not use the Responsive Design still show the logon page as being secure. All in Chrome.

Reply
Edited 03/15/20 9:55 PM
Sunday, March 15, 2020 at 10:32 PM - Response #29

Weird. Yes your site is screwed up (no offense) even with FF. No change for my site (RD). Except for the 'head' bug it's all https for login protected pages. [Edit see next post, think I discovered the reason.]

Checked a few other RD sites and they also are https for login. Like this one http://www.fairborn71.com/

FWIW, sites like yours without a domain can be https with the script I made. That's what this SITE is using that script

Edit: However, you still need to make sure all images used are HTTPS to avoid the not-secure flag.

Reply
Edited 03/15/20 10:44 PM
Sunday, March 15, 2020 at 10:43 PM - Response #30

OK, think I figured it out. The problem is that IMAGES are not HTTPS and Chrome/FF started complaining about pages without secure IMAGES. I kid you not. That is what I noted about a month ago. These ongoing changes are going to cause all sorts of issues.

The only way you can fix that ATM is to make your images fully qualified as

https://www.classcreator.com/Springfield-VT-1958/... rest of link

Forgot to mention: It comprises the BOTTOM images there which I do not think you can touch since CC made it fully qualified - CC needs to FIX that.Idea

This is just one of them
http://www.classcreator.com/000/template_media/4F6B0DB5-ECF4-BBD7-B960C6FC938F04DF.jpg

Reply
Edited 03/15/20 10:59 PM
Sunday, March 15, 2020 at 11:10 PM - Response #31

It's got to be something else. I've taken all content except for some CC stuff off the home page and it's still Not Secure.

Reply
Sunday, March 15, 2020 at 11:22 PM - Response #32

I talking about the images on the BOTTOM. Those are still there. Copy and paste the link I gave an you can see what I'm referring to.

This is just ONE of all of those http://www.classcreator.com/000/template_media/4F6B0DB5-ECF4-BBD7-B960C6FC938F04DF.jpg

However, even if that is fixed (I manually played with it), pretty sure there's a link in there that is http that Chrome and FF are complaining about. You can't touch all of the code there.

Since other sites that are working normally, it has to be some http resource that is triggering "not secure". CSS references will also trigger that warning now.

If you go to the Scripts site you can see that it works (except I also have some http images on one page that I still need to fix myself).

Reply
Edited 03/15/20 11:28 PM
Sunday, March 15, 2020 at 11:48 PM - Response #33
not working.JPG

Jack Vermeulen wrote:

See if this works

Nope, got the attached when I clicked on the link.

Reply
Monday, March 16, 2020 at 12:04 AM - Response #34

It's just a screenshot of the BOTTOM of your page showing you the images there that are HTTP. Just copy and past the link I gave so you can see one of them. It was to show you the images I'm referring to.

Your browser probably has to be configured to download PNG. I had to make mine use FF. Wish CC let you just paste an image here - that's never going to happen Cool

Reply
Monday, March 16, 2020 at 12:09 AM - Response #35

I re-read response 32 went to the link and saw the pictures to which you're referring. Have restored home page content and going to sign off for now. Thanks for all your input.

Reply
Monday, March 16, 2020 at 9:44 AM - Response #36

Thank you.
Our website today now appears to be Secure if using Chrome. If using Safari our site still says Insecure. I have not received any of the new updated comments. I logged on to see what’s going on.
Question: is our website Insecure or Secure?

Reply
Edited 03/16/20 12:23 PM
Monday, March 16, 2020 at 12:37 PM - Response #37

Vicky's site, she started this thread, experiences the same issue as mine, i.e. Not Secure logon page.

Reply
Edited 03/16/20 12:38 PM
Monday, March 16, 2020 at 1:01 PM - Response #38

Assume our site is Insecure? What will happen if the fix doesn’t occur by March 31?
Currently scrambling in Public Health. Hoped to avoid frivolous tasks.
Thank you for replying.

Reply
Monday, March 16, 2020 at 2:28 PM - Response #39

Vicky's site has this image that is not secure on the bottom of the page for Sign In, the FB one. It's another one CC has to fix by removing the fully qualified "http".

http://www.classcreator.com/000/template_media/75AFF271-ECF4-BBD7-B960E5A1B1A07EEB.jpg

ANY image that is fully qualified that does not have https will flag a page as not secure.

Reply
Edited 03/16/20 2:28 PM
Monday, March 16, 2020 at 2:56 PM - Response #40

FYI Vicky's other site is fine with the login. Also an RD site.

http://www.classcreator.com/chsaa/

So to emphasize, if there are ANY images that are not https, the signin will show not secure. Some of them you can fix, like the FB image. Other images that are not set by you, you need to remove for a bit - if it bothers you. IMO, that someone would use an insecure image on one of our sites is pretty remote. Unless you are some sort of James Bond character Twisted Evil

Reply
Edited 03/16/20 2:57 PM
Monday, March 16, 2020 at 6:18 PM - Response #41

Thank you!
Will look into it late tonight. We don’t use FB. How to know if an image is HTTPS?
We have hundreds of photos - if I don’t remove certain photos by March 31, can our website function as usual? Currently working 18 hr/days indefinitely

Reply
Edited 03/16/20 6:23 PM
Monday, March 16, 2020 at 6:38 PM - Response #42

Jack Vermeulen wrote:

So to emphasize, if there are ANY images that are not https, the signin will show not secure. Some of them you can fix, like the FB image. Other images that are not set by you, you need to remove for a bit - if it bothers you. IMO, that someone would use an insecure image on one of our sites is pretty remote. Unless you are some sort of James Bond character Twisted Evil

Not concerned at all. Was just pointing out what seemed to me a change in how the logon page was being treated. I'm sure that when CC initially made the change that it showed as secure and now it doesn't. Per your explanation it would appear that the cause is browsers treating images differently now than they did a while ago.

Reply
Monday, March 16, 2020 at 6:43 PM - Response #43

Sites will still work, it's just that the sign-in will show "not secure" if there's an image there that is http.

The idea is that when CC eventually gets around to giving all sites https ability (one is extremely easy to do - the one I proposed), your site will be all ready for that. Most images will automatically be good if one just used the Editor to create the images. One manually entered using http (or the ones that CC did not create properly) need to be fixed.

The simple way to see if you have any images that are not https it to go to Edit Site pages and click Preview. If it shows the "lock" everything is fine. If not, then something on the page needs to be fixed. That is not always an image. Scripts and CSS stuff may also need to be fixed .. pretty rare too, except that History has that problem Rolling Eyes.

Reply
Monday, March 16, 2020 at 6:50 PM - Response #44

F C Bock wrote:

Per your explanation it would appear that the cause is browsers treating images differently now than they did a while ago.

Yes. Chrome announced that change a few months ago. I suspect though that eventually they will BLOCK mixed resources. That is already being done for CC History pages by Chrome, Firefox and Opera. The videos in History do NOT show. [If you make the page https in Chrome it works but not for FF or Opera Smile ]

IOW, this is being done in steps to give sites the chance to adjust. The same way that Flash got disabled. Some CC Flash based features no longer work.

Reply
Edited 03/16/20 6:57 PM
Monday, March 23, 2020 at 3:13 PM - Response #45

Can anyone reassure if I do nothing, our website remains as it is today.

Hoping all remain safe & healthy

Reply
Monday, March 23, 2020 at 3:38 PM - Response #46

You won't have to do anything more. We will have options soon for those who want to secure using their own domain as well.

In the meantime the March 31st deadline item related to securing downloads has been addressed. We have secured all document downloads across the entire network of sites using our secure ID. That was the item Jack posted originally and it is done so nothing new will be affected as of that date.


Reply
Monday, March 23, 2020 at 3:46 PM - Response #47

Thank you Jessica. Prefer to keep our domain.
Will await options.

Reply
Edited 03/23/20 3:49 PM
New Topic  
Subscription Options: Have all new forum posts sent directly to your email.
Subscription options are available after you log in.